I'm not skilled in networking, but I have some of the basics. I need to know how to set up Wireshark so I can analyze the traffic between my Mac and my router. I have a separate Windows machine I can use for this. From what I've read here:

I need another NIC card in my Windows machine in order to complete the setup. Thing is, I don't really know how to set it up in Wireshark. It would be great if someone held my hand and stepped it out, but this may be unrealistic. If so, can someone point me on the direction to learn how to do this? I've been able to observe the traffic on the Windows machine Wireshark is installed on, but not the Mac.

In case your curious, I believe I may have malware on my Mac connecting to the network, and I want to monitor the traffic to determine if my hunch is correct.

If you have Cisco gear, it's pretty easy to setup a spanning port. If your talking about a Linksys/D-Link (or similiar) router, its a bit more difficult/less reliable.

Do some searches on arp spoofing. You'll find a ton of "how-to's". If you don't want to do arp spoofing, you can route your traffic from the Mac to your Windows box, but I do believe you'll need multiple NIC's on the Windows box at that point.

Other ways of doing what you want, which will be better in my opinion:

- Use a hub (not a switch), which are harder to get these days, but can be done.

- build a network tap (I like this option the most). Little bit of physical hardware hacking and you can get some neat options.

When you do this, other than the M-I-T-M, you'll probably not want to configure your network interface card. It keeps traffic like arp and the like for the card, out of the capture. Just set the card to unconfigured and let it capture all the traffic coming to it. Promiscuous mode will probably work better.

There are few ways of doing so as already described by many guysLike getting a HubArpspoofSpan port -- high end routers.

But much before all that you should learn about switching and routing at the least how they work and why a Hub is required to sniff out things. The best learning in hacking is not to just know how to use tools but to know how things work and then how the tools works.

I've been looking for rare flashes on my router coming from my mac that don't show up on my app firewall reporting tool (Little Snitch). When it occurred with wireshark, I get a lot of black with red text going to Google of all places:

I was hoping it was enough info to ensure data wasn't being transmitted to a malicious server, possibly through a keylogger or something else. Does the info provided allow to confirm that isn't happening?

Great description of the traffic BTW. Thank you very much.

"maybe GMail or Google talk"Was encrypted search (Beta). Just left the window open and waited for the led light to flash on my router without Little Snitch reporting it. Then stopped the capture and examined it.

"Why is your machine trying to send such big windows sizes?"

I have no idea. This is fresh install of Snow Leopard (on a new machine). I'm guessing it's the default for Chrome?

macattack wrote:I was hoping it was enough info to ensure data wasn't being transmitted to a malicious server, possibly through a keylogger or something else. Does the info provided allow to confirm that isn't happening?

There's no definitive way to determine this because of TLS for one, secondly, you didn't give enough data. If you think that "oh, its only Google..." then you're in for a surprise, How do you know someone didn't compromise a machine at Google and client side you? (http://threatpost.com/en_us/blogs/insid ... are-011910) There is no definitive way to determine WHAT data inside of encrypted packets were sent. The LIKELIHOOD of it being something malicious is altogether different. What I can tell is that it's just a funky connection with some packet loss.

You seemed to be confused about what a keylogger typically does. Most keyloggers record your keystrokes to a FILE located ON your machine and then transfer that file elsewhere. Trying to dissect every single connection that your machine makes would drive you insane. As a test, pick a date that you KNOW you will NOT be using your machine. On that date, start up tcpdump or Wireshark to catch what is going on... Let it run all day if possible, then try making sense of it afterwards. My suggestions, use Netwitness Investigator + Wireshark.

One would be surprised to see the amount of connections coming in and out of a machine without any intervention. If you 'assume' something odd is occurring, throw on Snort as an EXTRUSION detection system, fire up SGUIL. Invert the rules so you can see and log what occurs on outbound connections. This is your best bet to see any truly anomalous connections.